Method for constructing logic circuits of small depth and complexity for operation of inversion in finite fields of characteristic 2

ABSTRACT

A method for constructing a logic circuit for inversion in finite field GF(2 m ) is described, where m=nk, and k, n are coprime numbers, using bases in subfields GF(2 n ) and GF(2 k ). The method may be applied to error correction codes, including BCH codes, Reed-Solomon codes (which are a subset of BCH codes), turbo codes, and the like.

FIELD OF THE INVENTION

The present invention generally relates to a scheme for arithmetic operations in finite fields, and more particularly, to a computational scheme for arithmetic operations in finite fields of characteristic 2 such as GF(2^(m)), where m is a composite number, which is to be utilized in realizing error correction coding.

BACKGROUND OF THE INVENTION

An error correction code is an algorithm for expressing a sequence of numbers such that any errors which are introduced may be detected and corrected (within certain limitations) based on the remaining numbers. The study of error correction codes and the associated mathematics is known as coding theory. The commonly used error correction codes in digital communications and data storage may include BCH (Bose-Chaudhuri-Hochquenghem) codes, Reed-Solomon codes (which are a subset of BCH codes), turbo codes, and the like.

Error correction codes are often defined in terms of Galois or finite field arithmetic. A Galois field is commonly identified by the number of elements which the field contains. The elements of a Galois field may be represented as polynomials in a particular primitive field element, with coefficients in the prime subfield. Since the number of elements contained in a Galois field is always equal to a prime number, q, raised to a positive integer power, m, the notation GF(q^(m)) is commonly used to refer to the finite field containing q^(m) elements. In such a field all operations between elements comprising the field yield results which are each elements of the field.

Finite fields of characteristic 2 are important because these fields have data structures suitable for computers and may be utilized in error correction coding and cryptography. Conventionally, inverse calculation over a finite field with characteristic 2 may require an enormous amount of calculations compared with multiplication. For example, a well-known method for calculating inverses in a finite field follows directly from the cyclic structure of such a field that the inverse of a field element may be obtained directly from exponentiation. To be more precise: a ⁻¹ =a ⁻²⁺² ^(n) A person skilled in the art will recognize that this operation may be accomplished with 2n−3 multiplications. Logic circuits for inverse operation based on such a method may thus have large depth and- complexity. The depth of a logic circuit is the maximal number of logic elements in a path from a circuit input to a circuit output. The depth may determine the delay of the circuit. The complexity of a logic circuit is the number of logic elements in the circuit. The logic elements may have two inputs and one output.

Therefore, it would be desirable to provide a method for constructing logic circuits of small depth and complexity for operation of inversion in finite fields of characteristic 2.

SUMMARY OF THE INVENTION

Accordingly, the present invention is directed to a method for constructing a logic circuit for inversion in finite field GF(2^(m)), where m=nk, and k, n are coprime numbers, using bases in subfields GF(2^(n)) and GF(2^(k)). The present invention may be applied to error correction codes, including BCH codes, Reed-Solomon codes (which are a subset of BCH codes), turbo codes, and the like.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention as claimed. The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate an embodiment of the invention and together with the general description, serve to explain the principles of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The numerous advantages of the present invention may be better understood by those skilled in the art by reference to the accompanying figures in which:

FIG. 1 shows an exemplary configuration of a 2n-bit inverse calculation device in accordance with the present invention; and

FIG. 2 depicts an exemplary configuration of a 3n-bit inverse calculation device in accordance with the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Reference will now be made in detail to the presently preferred embodiments of the invention, examples of which are illustrated in the accompanying drawings.

One aspect of the present invention is directed to a method for constructing a logic circuit for inversion in finite field GF(2^(m)), where m=nk, and k, n are coprime numbers, from its subfield GF(2^(n)). The advantage of this method may lie in the fact that the structure of the subfield may remain accessible to direct manipulation when this type of construction is used. Furthermore, arithmetic operations defined in GF(2^(m)) may be directly calculated in terms of arithmetic operations, including addition, multiplication, square, inversion, division, and the like, performed in the constituent subfield GF(2^(n)).

According to one aspect of the present invention, logic circuits of small depth and complexity for operation of inversion in finite fields of characteristic 2 may be constructed. The depth of a logic circuit is the maximal number of logic elements in a path from a circuit input to a circuit output. The logic elements may include an exclusive OR unit (for addition), a multiplication unit (for multiplication), a square unit (for square, an inverse calculation unit (for inversion), and the like. The depth may determine the delay of the circuit. The complexity of a logic circuit is the number of logic elements in the circuit. The logic elements may have two inputs and one output. The logic circuit constructed according to the present invention may have less depth and complexity than the logic circuit constructed according to the conventional methods if the bases of the finite fields have a dimension less than 32.

The present invention may be applied to error correction codes, including BCH codes, Reed-Solomon codes (which are a subset of BCH codes), turbo codes, and the like because all devices for encoding and decoding may contain modules for multiplication and inversion.

The method of the present invention will be described in detail below.

Denote a polynomial basis in the field GF(2^(n)) B^(α)={1,α,α²,α³, . . . ,α^(n−1)}, where p(α)=0,p(x)=p _(n−1) x ^(n−1) + . . . +p ₀ ,p _(i)=0,1 and p(x) is an irreducible polynomial (minimal polynomial of element α-base generator).

Denote a normal basis in the field GF(2^(n)) B_(α)={α,α²,α⁴,α⁸,α¹⁶, . . . ,α² ^(n−1) } Normal bases may exist only for some irreducible polynomials p(x).

Normal bases may have such an advantage that squaring of these bases is equivalent to a shift operation: (x ₀ α+x ₁α² + . . . x _(n−1)α² ^(n) )² =x _(n−1) α+x ₀α² +x ₁α⁴ + . . . +x _(n−2)α^(n−1)

Let

${\xi = {\sum\limits_{i = 0}^{n - 1}{x_{i}\alpha^{2^{i}}}}},{{\,^{o}\zeta} = {\sum\limits_{j = 0}^{n - 1}{y_{j}\alpha^{2^{j}}}}},$ be any elements of the field GF(2^(n)), then their product (multiplication) may be represented by the equality:

${\pi = {\sum\limits_{m = 0}^{n - 1}{p_{m}\alpha^{2^{m}}}}},{where}$ ${p_{m} = {\sum\limits_{i,{j = 0}}^{n - 1}{t_{{i - j},{m - j}}x_{i}y_{j}}}},{{\alpha\;\alpha^{2^{i}}} = {\sum\limits_{j = 0}^{n - 1}{t_{i,j}\alpha^{2^{j}}}}},$ and t_(i,j) is a multiplication table of the given basis.

If one defines a matrix A as a_(i,j)=t_(i−j,−j), where i−j and −j are a subtraction modulo n, then the foregoing formulas may be represented as

${p_{m} = {\sum\limits_{i,{j = 0}}^{n - 1}{a_{i,j}{S^{m}\left( x_{i} \right)}{S^{m}\left( y_{j} \right)}}}},$ where S^(m) is a shift of the vector on m component, and

${A\left( {x,y} \right)} = {\sum\limits_{i,{j = 0}}^{n - 1}{a_{i,j}x_{i}y_{j}}}$ is a bilinear form associated with the matrix A.

Let m=nk, where k, n are coprime numbers. One may choose in fields GF(2^(n)), GF(2^(k)) any normal bases B_(α)={α,α²,α⁴,α⁸,α¹⁶, . . . ,α² ^(k−1) }, B_(β)={β,β²,β⁴,β⁸,β¹⁶, . . . ,β² ^(n−1) }. Then the product of these bases B_(αβ)={αβ,αβ², . . . ,αβ² ^(n−1) , . . . ,α² ^(k−1) β, . . . ,α² ^(k−1) β² ^(n−1) } is some permutation of some normal bases in the field GF(2^(m)).

Using Quadratic Extension

Let k=2 and n does not divide by 2. One may use in the field GF(2^(2n)) a basis B_(αβ)={αβ,αβ², . . . ,αβ² ^(n−1) ,α²β, . . . ,α²β² ^(n−1) }, which is a product of the optimal normal base of order 2 B _(α)={α,α²,}, α+α²=1, and any normal (or standard polynomial) basis B_(β).

In field GF(2^(n)) the norm N of any element x₀α+x₁α²εGF(2^(m)) is equal to

$\begin{matrix} {N = {\left( {{x_{0}\alpha} + {x_{1}\alpha^{2}}} \right)\left( {{x_{0}\alpha^{2}} + {x_{1}\alpha}} \right)}} \\ {= {{x_{0}{x_{1}\left( {\alpha^{2} + \alpha^{4}} \right)}} + {\left( {x_{0}^{2} + x_{1}^{2}} \right)\alpha^{3}}}} \\ {= {\left( {x_{0}^{2} + x_{1}^{2}} \right) + {x_{0}x_{1}{{{GF}\left( 2^{n} \right)}.}}}} \end{matrix}$

The equality for an operation of inversion in the field GF(2^(2n)) is (x ₀ α+x ₁α²)⁻¹=(x ₀α² +x ₁α)/N=(x ₁ /N)α+(x ₀ /N)α²

FIG. 1 shows an exemplary configuration of a 2n-bit inverse calculation device 100 according to one aspect of the present invention. The 2n-bit inverse calculation device 100 may include two n-bit exclusive OR units (A_(n)) 108 and 110, three n-bit multiplication units (M_(n)) 102, 114 and 116, two n-bit square units (S_(n)) 104 and 106, and one n-bit inverse calculation unit (I_(n)) 112.

As shown in FIG. 1, the 2n-bit inverse calculation device 100 may calculate the inverse e⁻¹=(x₁/N)α+(x₀/N)α²εGF(2^(2n)) of an element e=x₀α+x₁α²εGF(2^(2n)) by using arithmetic operations in a subfield GF(2^(n)). First, a 2n-bit input e may be split into two n-bit parts x₀ and x₁. Then, x₀ may be duplicated to provide inputs to M_(n) 102, S_(n) 104, and M_(n) 116, and x₁ may be duplicated to provide inputs to M_(n) 102, S_(n) 106, and M_(n) 114. M_(n) 102 may receive inputs x₀ and x₁ and output x₀x₁, which may be an input to A_(n) 108. S_(n) 104 may receive x₀ as an input and output x₀ ², which may become an input to A_(n) 108. A_(n) 108 may receive x₀x₁ and x₀ ² as inputs and output x₀x₁+x₀ ², which may become an input to A_(n) 110. S_(n) 106 may receive x₁ as an input and output x₁ ², which may become an input to A_(n) 110. A_(n) 110 may receive x₀x₁+x₀ ² and x₁ ² as inputs and output x₀x₁+x₀ ²+x₁ ², which is the norm N and may become an input to I_(n) 112. I_(n) 112 may receive N as an input and output 1/N, which may be duplicated to provide inputs to M_(n) 114 and M_(n) 116. M_(n) 116 may receive x₀ and 1/N as inputs and output x₀/N. M_(n) 114 may receive x₁ and 1/N as inputs and output x₁/N. x₀/N and x₁/N may then be joined and outputted as the inverse e⁻¹, which is in 2n bits.

Recurrent upper bound of the complexity of an inversion is L(I(2n))≦L(I(n))+2L(M(n))+L(N(2n)), where L(N(2n)) is the complexity of the norm, and L(M(n)) is the complexity of multiplication in the field GF(2^(n)).

Recurrent upper bound of the depth of inversion is D(I(2n))≦D(I(n))+D(M(n))+D(N(2n)).

Valid estimation of the complexity and the depth of norm N may be as follows: L(N(2n))≦L(M(n))+2L(K(n))+n, D(N(2n))≦D(M(n))+1, where L(K(n)) is the complexity of squaring in the base B_(β) of the field GF(2^(n)). If B_(β) is a normal basis, then L(K(n))=0, and L(N(2n))=L(M(n)), D(N(2n))=D(M(n)) in many practical cases.

Multiplication may be represented by the formula (x ₀ α+x ₁α²)(y ₀ α+y ₁α²)=(x ₁ y ₀+(x ₁ +x ₀)y ₁)α+(x ₁ y ₀ +x ₀(y ₀ +y ₁))α²

Recurrent upper bounds of the complexity and the depth of multiplication are L(M(2n))≦3L(M(n))+4n, D(M(2n))≦D(M(n))+2.

Using Cubic Extension

Let k=3, and n does not divide by 3. One may use in the field GF(2^(3n)) a basis B_(αβ)={αβ,αβ², . . . ,αβ² ^(n−1) , . . . ,α⁴β, . . . ,α⁴β² ^(n−1) }, which is a product of the optimal normal basis of order 3 B _(α)={α,α²,α⁴},α²+α³=1 and any normal (or standard polynomial) basis B_(β).

In field GF(2^(n)) the norm N of any element (x ₀ α+x ₁α² +x ₂α⁴)εGF(q ³),q=2^(n) ,x _(i) εGF(q) is

$\begin{matrix} {N = {\left( {{x_{0}\alpha} + {x_{1}\alpha^{2}} + {x_{2}\alpha^{4}}} \right)\left( {{x_{1}\alpha} + {x_{2}\alpha^{2}} + {x_{0}\alpha^{4}}} \right)\left( {{x_{2}\alpha} + {x_{0}\alpha^{2}} + {x_{1}\alpha^{4}}} \right)}} \\ {= {{x_{0}x_{1}x_{2}} + {\left( {x_{1}^{2} + x_{2}^{2}} \right)x_{2}} + {\left( {x_{0}^{2} + x_{2}^{2}} \right)x_{0}} + {\left( {x_{1}^{2} + x_{0}^{2}} \right)x_{1}}}} \\ {= {{x_{0}x_{1}x_{2}} + \left( {x_{1} + x_{2}} \right)^{3} + {\left( {x_{0} + x_{2}} \right)^{2}\left( {x_{0} + x_{1}} \right){{{GF}(q)}.}}}} \end{matrix}$

Inversion of any element (x ₀ α+x ₁α² +x ₂α⁴)εGF(q ³),x _(i) εGF(q) may be represented by the equality (x ₀ α+x ₁α² +x ₂α⁴)⁻¹=(x ₁ α+x ₂α² +x ₀α⁴)(x ₂ α+x ₀α² +x ₁α⁴)/N where (x ₁ α+x ₂α² +x ₀α⁴)(x ₂ α+x ₀α² +x ₁α⁴)=((x ₀ +x ₂)² +x ₁ x ₂)α+((x ₁ +x ₀)² +x ₀ x ₂)α²+((x ₁ +x ₂)² +x ₁ x ₀)α⁴ This equality demonstrates that coordinates X_(i) of inverse element (x₀α+x₁α²+x₂α⁴)⁻¹ may be shifted if coordinates x_(i) are shifted.

Referring now to FIG. 2, an exemplary configuration of a 3n-bit inverse calculation device 200 according to one aspect of the present invention is shown. The 3n-bit inverse calculation device 200 may include eight n-bit exclusive OR units (A_(n)) 202, 204, 206, 222, 224, 226, 232 and 234, six n-bit multiplication units (M_(n)) 208, 210, 212, 220, 228, and 230, and three n-bit square units (S_(n)) 214, 216 and 218.

The 3n-bit inverse calculation device 200 may calculate the inverse E⁻¹=[((x₀+x₂)²+x₁x₂)/N]α+[((x₁+x₀)²+x₀x₂)/N]α²+[((x₁+x₂)²+x₁x₀)/N]α⁴=(z₀/N)α+(z₁/N)α²+(z₂/N)α⁴εGF(2^(3n)) of an element E=(x₀α+x₁α²+x₂α⁴)εGF(2^(3n)) by using arithmetic operations in a subfield GF(2^(n)). First, a 3n-bit input E may be split into three n-bit parts x₀, x₁ and x₂. A_(n) 202 may have x₀ and x₂ as inputs and output t₁=x₀+x₂. S_(n) 214 may have t₁ as an input and output t₇=t₁ ²=(x₀+x₂)², which may become inputs to A_(n) 222 and M_(n) 230. A_(n) 204 may have x₀ and x₁ as inputs and output t₂=x₀+x₁, which may become inputs to S_(n) 216 and M_(n) 230. S_(n) 216 may have t₂ as an input and output t₈=t₂ ²=(x₀+x₁)², which may become an input to A_(n) 224. A_(n) 206 may have x₁ and x₂ as inputs and output t₃=x₁+x₂, which may become inputs to S_(n) 218 and M_(n) 228. S_(n) 218 may have t₃ as an input and output t₉=t₃ ²=(x₁+x₂)², which may become inputs to A_(n) 226 and M_(n) 228.

M_(n) 208 may have x₀ and x₁ as inputs and output t₄=x₀x₁, which may become an input to A_(n) 226. M_(n) 210 may have x₁ and x₂ as inputs and output t₅=x₁x₂, which may become an input to A_(n) 222. M_(n) 212 may have x₀ and x₂ as inputs and output t₆=x₀x₂, which may become inputs to A_(n) 224 and M_(n) 220. M_(n) 220 may have x₁ and t₆ as inputs and output t₁₃=x₁t₆=x₀x₁x₂, which may become an input to A_(n) 234.

A_(n) 222 may receive t₅ and t₇ as inputs and output z₀=(x₀+x₂)²+x₁x₂. A_(n) 224 may receive t₆ and t₈ as inputs and output z₁=(x₁+x₀)²+x₀x₂. A_(n) 226 may receive t₄ and t₉ as inputs and output z₂=(x₁+x₂)²+x₁x₀.

M_(n) 228 may have t₃ and t₉ as inputs and output t₁₀=t₃t₉=(x₁+x₂)(x₁+x₂)²=(x₁+x₂)³, which may become an input to A_(n) 232. M_(n) 230 may have t₂ and t₇ as inputs and output t₁₁=t₂t₇=(x₀+x₁)(x₀+x₂)², which may become an input to A_(n) 232. A_(n) 232 may have t₁₀ and t₁₁ as inputs and output t₁₂=t₁₀+t₁₁=(x₁+x₂)³+(x₀+x₁)(x₀+x₂)², which may become an input to A_(n) 234. A_(n) 234 may have t₁₂ and t₁₃ as inputs and output N=t₁₂+t₁₃=(x₁+x₂)³+(x₀+x₁)(x₀+x₂)²+x₀x₁x₂.

After z₀, z₁, z₂, and N are obtained, those of ordinary skill in the art will understand how to obtain the inverse E⁻¹=(z₀/N)α+(z₁/N)α²+(z₂/N)α⁴εGF(2 ^(3n)). For example, an n-bit inverse calculation unit (I_(n)) may be provided, which may have N as an input and output 1/N. Three additional n-bit multiplication units (M_(n)) may also be applied: the first M_(n) may have z₀ and 1/N as inputs and output z₀/N; the second M_(n) may have z₁ and 1/N as inputs and output z₁/N; the third M_(n) may have z₂ and 1/N as inputs and output z₂/N. The obtained z₀/N, z₁/N and z₂/N may then be joined and outputted as the inverse E⁻¹, which is in 3n bits.

From the equality

$\begin{matrix} {N = {{x_{0}x_{1}x_{2}} + \left( {x_{1} + x_{2}} \right)^{3} + {\left( {x_{0} + x_{2}} \right)^{2}\left( {x_{0} + x_{1}} \right)}}} \\ {{= {{x_{0}\left( {x_{1}x_{2}} \right)} + \left( {{\left( {x_{1} + x_{2}} \right)^{2}\left( {x_{1} + x_{2}} \right)} + {\left( {x_{0} + x_{2}} \right)^{2}\left( {x_{0} + x_{1}} \right)}} \right)}},} \end{matrix}$ and assuming D(M(n))≧D(K(n))+2, upper bounds may be obtained: L(N(3n))≦4L(M(n))+2L(K(n))+4n, D(N(3n))≦2D(M(n))+1.

By realizing together with N operators (x₀+x₂)²+x₁x₂ (x₁+x₀)²+x₀x₂ (x₁+x₂)²+x₁x₀ and parallel executing three times multiplication on N⁻¹, estimations for the complexity and the depth of inversion in the field GF(2^(3n)) are: L(I(3n))≦L(I(n))+9L(M(n))+3L(K(n))+8n, D(I(3n))≦D(I(n))+3D(M(n))+1; and L(I(3n))≦L(I(n))+6L(M(n))+L(N(3n)+3L(K(n))+6n, D(I(3n))≦D(I(n))+D(M(n))+D(N(3n)). If B_(β) is a normal basis, then L(K(n))=0.

Inversion in Field GF(2³)

In a partial case x₁ εGF(2), the equality x₁ ²=x₁ is valid, and consequently one may have the norm

$\begin{matrix} {N = {{x_{0}x_{1}x_{2}} + \left( {x_{1} + x_{2}} \right)^{3} + {\left( {x_{0} + x_{2}} \right)^{2}\left( {x_{0} + x_{1}} \right)}}} \\ {= {{x_{0}x_{1}x_{2}} + \left( {x_{1} + x_{2}} \right) + {\left( {x_{0} + x_{2}} \right)\left( {x_{0} + x_{1}} \right)}}} \\ {= {{x_{0}x_{1}x_{2}} + x_{1} + x_{2} + x_{0} + {x_{0}x_{2}} + {x_{1}x_{2}} + {x_{0}x_{1}}}} \\ {= {x_{0} ⩔ x_{1} ⩔ x_{2}}} \end{matrix}$ where V represents a logical disjunction. The norm of nonzero elements in this case is equal to 1, so the inversion (x₀α+x₁α²+x₂α⁴)⁻¹ may be represented by the equalities: (x ₀ +x ₂)² +x ₁ x ₂ =x ₀ +x ₂ +x ₁ x ₂ =x ₀ +x ₂

x ₁, (x ₁ +x ₀)² +x ₀ x ₂ =x ₁ +x ₀ +x ₀ x ₂ =x ₁ +x ₀

x ₂, (x ₁ +x ₂)² +x ₁ x ₀ =x ₁ +x ₂ +x ₁ x ₀ =x ₂ +x ₁

x ₀. Consequently the complexity and the depth in this case have bounds: L(I(3))≦6, D(I(3))≦2.

Multiplication in Cubic Extension

Multiplication in a given basis B_(α) may be represented as follows:

(x₀α + x₁α² + x₂α⁴)(y₀α + y₁α² + y₂α⁴) = ((x₀y₁ + x₁y₀) + (x₁y₂ + x₂y₁) + x₂y₂)α + ((x₀y₂ + x₂y₀) + (x₁y₂ + x₂y₁) + x₀y₀)α² + ((x₀y₁ + x₁y₀) + (x₀y₂ + x₂y₀) + x₁y₁)α⁴

If the following brief notations are used, [i,j]=(x _(i) +x _(j))(y_(i) +y _(j)), (i,j)=(x _(i) y _(j) +x _(j) y _(i)), (i)=x _(i) y _(i), then [i,j]=(i,j)+(i)+(j) The multiplication equality may thus be rewritten as ((x ₀ y ₁ +x ₁ y ₀)+(x ₁ y ₂ +x ₂ y ₁)+x ₂ y ₂)=(0,1)+(1,2)+(2)==[0,1]+[1,2]+(0), ((x ₀ y ₂ +x ₂ y ₀)+(x ₁ y ₂ +x ₂ y ₁)+x ₀ y ₀)=(0,2)+(1,2)+(0)==[0,2]+[1,2]+(1), ((x ₀ y ₁ +x ₁ y ₀)+(x ₀ y ₂ +x ₂ y ₀)+x ₁ y ₁)=(0,1)+(0,2)+(1)==[0,1]+[0,2]+(2).

The valid upper bounds for the complexity and the depth of multiplication are: L(M(3n))≦6L(M(n))+12n, D(M(3n))≦D(M(n))+3.

Using Biquadratic Extension

Let k=4, and n does not divide by 4. One may use in the field GF(2^(4n)) a basis B_(αβ)={αβ,αβ², . . . ,αβ² ^(n−1) , . . . ,α⁸β, . . . ,α⁸β² ^(n−1) }, which is a product of the optimal normal basis of order 4 B _(α){α,α²,α⁴,α⁸}, α+α²+α³+α⁴=1, and any normal (or standard polynomial) basis B_(β).

Any element (x ₀ α+x ₁α² +x ₂α⁴ +x ₃α⁸)εGF(q ⁴),x_(i) εGF(q),q=2^(n), may be inverted by the following equality: (x ₀ α+x ₁α² +x ₂α⁴ +x ₃α⁸)⁻¹=[(x ₁ α+x ₂α² +x ₃α⁴ +x ₀α⁸)(x ₂ α+x ₃α² +x ₀α⁴ +x ₁α⁸)(x ₃ α+x ₀α² +x ₁α⁴ +x ₂α⁸)]/N where the norm N=(x ₁ α+x ₂α² +x ₃α⁴ +x ₀α⁸)(x ₂ α+x ₃α² +x ₀α⁴ +x ₁α⁸)(x ₃ α+x ₀α² +x ₁α⁴ +x ₂α⁸) (x ₀ α+x ₁α² +x ₂α⁴ +x ₃α⁸) is equal to

${{\sum\limits_{i = 0}^{3}{x_{i}^{3}{\sum\limits_{i = 0}^{3}x_{i}}}} + {\sum\limits_{i = 0}^{3}{x_{i}^{2}\mspace{11mu} x_{i \oplus 2}x_{i \oplus 3}}} + \left( {\sum\limits_{i \neq j}{x_{i}x_{j}}} \right)^{2} + {\prod\limits_{i = 0}^{3}{x_{i}{{GF}(q)}}}},$ and the product (x₁α+x₂α²+x₃α⁴+x₀α⁸)(x₂α+x₃α²+x₀α⁴+x₁α⁸)(x₃α+x₀α²+x₁α⁴+x₂α⁸) is equal to X₀α+X₁α²+X₂α⁴+X₃α⁸, where X ₀ =x ₂(x ₂ ² +m(x ₀ ,x ₁ ,x ₃))+x ₁ x ₂(x ₁ +x ₂)+x ₀ x ₃(x ₀ +x ₃)+x ₁(x ₀ +x ₃)² +x ₀ x ₂ ² X ₁ =x ₃(x ₃ ² +m(x ₂ ,x ₂ ,x ₀))+x ₂ x ₃(x ₂ +x ₃)+x ₁ x ₀(x ₁ +x ₀)+x ₂(x ₁ +x ₀)² +x ₁ x ₃ ², X ₂ =x ₀(x ₀ ² +m(x ₂ ,x ₃ ,x ₁))+x ₃ x ₀(x ₃ +x ₀)+x ₂ x ₁(x ₂ +x ₁)+x ₃(x ₂ +x ₁)² +x ₂ x ₀ ², X ₃ =x ₁(x ₁ ² +m(x ₃ ,x ₀ ,x ₂))+x ₀ x ₁(x ₀ +x ₁)+x ₃ x ₂(x ₃ +x ₂)+x ₀(x ₃ +x ₂)² +x ₃ x ₁ ², where m (x, y, z) is a brief notation for xy+xz+yz, and ⊕ is addition modulo 4.

Coordinates X_(i) of a given product shift if inputs shift.

For computation of N and all X_(i), one may at first compute all products x_(i)x_(j) with the complexity of 6L(M(n)), then compute all squares x_(i) ² with the complexity of 4L(K(n)), then compute all sums x_(i)+x_(j) with the complexity of 6n, then compute the formula

$\left( {\sum\limits_{i \neq j}{x_{i}x_{j}}} \right)^{2} + {\prod\limits_{i = 0}^{3}x_{i}}$ with the complexity L(M(n))+L(K(n))+6n and the depth of less than or equal to 2D(M(n))+2(under the condition of D(M(n))≧D(K(n))+2), then compute

${\sum\limits_{i = 0}^{3}{x_{i}^{2}\mspace{11mu} x_{i \oplus 2}x_{i \oplus 3}}} = {{x_{0}{x_{3}\left( {{x_{0}x_{2}} + x_{1}^{2}} \right)}} + {x_{1}{x_{2}\left( {{x_{0}x_{2}} + x_{3}^{2}} \right)}}}$ with the complexity of 2L(M(n))+3n and the depth of 2D(M(n))+2, then compute

${\sum\limits_{i = 0}^{3}{x_{i}^{3}{\sum\limits_{i = 0}^{3}x_{i}}}} = {\sum\limits_{i = 0}^{3}{x_{i}^{2}x_{i}{\sum\limits_{i = 0}^{3}x_{i}}}}$ with the complexity of 5L(M(n))+n and the depth of 2D(M(n))+D(K(n))+2, and finally compute all X_(i) with the complexity of 12L(M(n))+20n and the depth of 2D(M(n))+3.

The total complexity of the logic circuit with outputs N and X_(i) may be equal to 26L(M(n))+36n+4L(K(n)), and the depth may be equal to 2D(M(n))+3+max{D(K(n)),1}.

Using the equality

${\sum\limits_{i \neq j}{x_{i}x_{j}}} = {{m\left( {x_{0},x_{1},x_{3}} \right)} + {m\left( {x_{3},x_{0},x_{2}} \right)} + {x_{0}x_{3}} + {x_{1}x_{2}}}$ may decrease the upper bound for complexity to 26L(M(n))+34n+4L(K(n)) under the condition of D(M(n))≧D(K(n))+3.

Using the equality

$\begin{matrix} {X_{0} = {{x_{2}^{2}\left( {x_{0} + x_{2}} \right)} + {x_{1}{x_{2}\left( {x_{1} + x_{2}} \right)}} + {\left( {x_{2} + x_{0} + x_{3}} \right){m\left( {x_{0},x_{1},x_{3}} \right)}}}} \\ {= {{x_{2}^{2}\left( {x_{0} + x_{2} + x_{1}} \right)} + {x_{1}^{2}x_{2}} + {\left( {x_{2} + x_{0} + x_{3}} \right){m\left( {x_{0},x_{1},x_{3}} \right)}}}} \end{matrix}$ one may rewrite other equalities as follows X ₁ =x ₃ ²(x ₁ +x ₃ +x ₂)+x ₂ ² x ₃+(x ₃ +x ₁ +x ₀)m(x₁ ,x ₂ ,x ₀), X ₂ =x ₀ ²(x ₂ +x ₀ +x ₃)+x ₃ ² x ₀+(x ₀ +x ₂ +x ₁)m(x ₂ ,x ₃ ,x ₁), X ₃ =x ₁ ²(x ₃ +x ₁ +x ₀)+x ₀ ² x ₁+(x ₁ +x ₃ +x ₂)m(x ₃ ,x ₀ ,x ₂).

Therefore, for computation of all X_(i) it is enough to use only sums x₀+x₃, x₁+x₂, and because all sums x₀+x₂+x₁, x₁+x₃+x₂, x₂+x₀+x₃, x₃+x₁+x₀ may be computed with 4 additions, thus the total complexity may decrease to 26L(M(n))+30n+4L(K(n)) with the same depth of 2D(M(n))+3+max{D(K(n)),1} (under the condition of D(M(n))≧D(K(n))+3).

Final bounds for complexity and depth may be: L(I(4n))≦L(I(n))+30L(M(n))+4L(K(n))+30n, D(I(4n))≦D(I(n))+3D(M(n))+3+max{D(K(n)),1}. If B_(β) is a normal basis, then L(K(n))=D(K(n))=0

Inversion in Field GF(2⁴)

In a partial case x_(i) εGF(2), the equality x_(i) ²x_(i) is valid, and consequently the norm

$\begin{matrix} {N = {{\sum\limits_{i = 0}^{3}x_{i}} + {\sum\limits_{i = 0}^{3}{x_{i}x_{i \oplus 2}x_{i \oplus 3}}} + {\sum\limits_{i \neq j}{x_{i}x_{j}}} + {\prod\limits_{i = 0}^{3}x_{i}}}} \\ {= {{\sum\limits_{I \Subset {\{{0,1,2,3}\}}}{\prod\limits_{i \in I}x_{i}}} = {x_{0} ⩔ x_{1} ⩔ x_{2} ⩔ x_{3}}}} \end{matrix}$ The norm of a nonzero element in this case is equal to 1, so inversion (x₀α+x₁α²+x₂α⁴+x₃α⁸)⁻¹ may be represented by: X ₀ =a ₂(a ₀ +

m(a ₀ , a ₁ , a ₃))+a ₁(a ₀ +a ₃), X ₁ =a ₃(a ₁ +

m(a ₁ , a ₂ , a ₀))+a ₂(a ₁ +a ₀), X ₂ =a ₀(a ₂ +

m(a ₂ , a ₃ , a ₁))+a ₃(a ₂ +a ₁), X ₃ =a ₁(a ₃ +

m(a ₃ , a ₀ , a ₂))+a ₀(a ₃ +a ₂), where

m(x, y, z) denotes the negation of m(x, y, z)=xy+xz+yz.

Since

$\begin{matrix} {{{a_{2}\left( {a_{0} + {⫬ {m\left( {a_{0},a_{1},a_{3}} \right)}}} \right)} + {a_{1}\left( {a_{0} + a_{3}} \right)}} =} \\ {{{a_{2}\left( {a_{0} + {a_{0}a_{1}} + {a_{0}a_{3}} + {a_{1}a_{3}} + 1} \right)} + {a_{1}\left( {a_{0} + a_{3}} \right)}} =} \\ {{{\left( {a_{1}{⫬ a_{2}}} \right)\left( {a_{0} + a_{3}} \right)} + {a_{2}\left( {{⫬ a_{0}} ⩔ a_{3}} \right)}},} \end{matrix}$ the complexity of this equality is equal to 6 and the depth is equal to 3. Final bounds for the complexity and depth are L(I(4))≦24, D(I(4))≦3.

Multiplication in Biquadratic Extension

In a given basis B _(α)={α, α², α⁴, α⁸}, α+α²+α³+α⁴=1 the operation of multiplication may be represented by:

$\begin{matrix} {{\left( {{a_{0}\alpha} + {a_{1}\alpha^{2}} + {a_{2}\alpha^{4}} + {a_{3}\alpha^{8}}} \right)\left( {{b_{0}\alpha} + {b_{1}\alpha^{2}} + {b_{2}\alpha^{4}} + {b_{3}\alpha^{8}}} \right)} =} \\ {{\left( {{a_{1}b_{2}} + {a_{2}b_{1}} + {a_{0}b_{2}} + {a_{2}b_{0}} + {a_{1}b_{3}} + {a_{3}b_{1}} + {a_{3}b_{3}}} \right)\alpha} +} \\ {{\left( {{a_{2}b_{3}} + {a_{3}b_{2}} + {a_{1}b_{3}} + {a_{3}b_{1}} + {a_{2}b_{0}} + {a_{0}b_{2}} + {a_{0}b_{0}}} \right)\alpha^{2}} +} \\ {{\left( {{a_{3}b_{0}} + {a_{0}b_{3}} + {a_{2}b_{0}} + {a_{0}b_{2}} + {a_{3}b_{1}} + {a_{1}b_{3}} + {a_{1}b_{1}}} \right)\alpha^{4}} +} \\ {\left( {{a_{0}b_{1}} + {a_{1}b_{0}} + {a_{3}b_{1}} + {a_{1}b_{3}} + {a_{0}b_{2}} + {a_{2}b_{0}} + {a_{2}b_{2}}} \right)\alpha^{8}} \end{matrix}$ Using the brief notation, one may have (a ₁ b ₂ +a ₂ b ¹ +a ₀ b ₂ +a ₂ b ₀ +a ₁ b ₃ +a ₃ b ₁ +a ₃ b ₃)=(1,2)+(0,2)+(1,3)+(3)=[1,2]+[0,2]+[1,3]+(0), (a ₂ b ₃ +a ₃ b ₂ +a ₁ b ₃ +a ₃ b ₁ +a ₂ b ₀ +a ₀ b ₂ +a ₁ b ₁)=(2,3)+(1,3)+(2,0)+(1)=[2,3]+[1,3]+[2,0]+(0), (a ₃ b ₀ +a ₀ b ₃ +a ₂ b ₀ +a ₀ b ₂+a₃ b ₁ +a ₁ b ₃ +a ₂ b ₂)=(3,0)+(2,0)+(3,1)+(2)=[3,0]+[2,0]+[3,1]+(1), (a ₀ b ₁ +a ₁ b ₀ +a ₃ b ₁ +a ₁ b ₃ +a ₀ b ₂ +a ₂ b ₀ +a ₃ b ₃)==(0,1)+(3,1)+(0,2)+(3)=[0,1]+[3,1]+[0,2]+(2). The complexity and the depth of multiplication (for odd n) thus have upper bounds L(M(4n))≦10L(M(n))+21n, D(M(4n))≦D(M(n))+3.

EXAMPLE Logical Circuits for Multiplicative Operations in the Field GF(2¹²)

From foregoing descriptions, it follows that one may construct a multiplication circuit in the field GF(2⁴) with the complexity L(M(4))=31 and the depth D(M(4))=4, and an inversion circuit with the complexity L(M(4))=24 and the depth D(M(4))=3.

Using the foregoing described method of cubic extension, one may thus construct logic circuits for multiplication and inversion in the field GF(2 ¹²) with the following complexity and depth: L(M(12))=6M(4)+48=234, D(M(12)=3+D(M(4))=7, L(I(12))≦L(I(4))+9L(M(4))+28=331, and D(I(12))≦D(I(4))+3D(M(4))+1=16.

Using 5th Degree Extension

Let k=5 and n does not divide by 5. One may use in the field GF(2^(5n)) a basis B _(αβ)={αβ,αβ², . . . ,αβ² ^(n−1) , . . . ,α¹⁶β, . . . ,α¹⁶β² ^(n−1) }, which is a product of the optimal normal basis of order 5 B _(α)={α, α², α⁴, α⁸, α¹⁶}, α+α²+α⁴+α⁵=1, and any normal (or standard polynomial) basis B_(β).

Any element x=(x ₀ α+x ₁α² +x ₂α⁴ +x ₃α⁸ +x ₄α¹⁶)εGF(q ⁵),x _(i) εGF(q),q=2^(n) may be inverted by the equality: (x ₀ α+x ₁α² +x ₂α⁴ +x ₃α⁸ +x ₄α⁸)⁻¹=[σ(x)σ²(x)σ³(x)σ⁴(x)]/N where the norm N is equal to the product N=xσ(x)σ²(x)σ³(x)σ⁴(x), where σ(x)=(x ₄ α+x ₀α² +x ₁α⁴ +x ₂α⁸ +x ₃α¹⁶) is a shift of vector x, and σ^(k)(x)=σ(σ^(k−1)(x)) is k-multiple shift (shift on k positions).

Using the equality σ(x)σ(y)=σ(xy), the norm may be an invariant concerning a shift because

$\begin{matrix} {{\sigma(N)} = {\sigma\left( {x\;{\sigma(x)}{\sigma^{2}(x)}{\sigma^{3}(x)}{\sigma^{4}(x)}} \right)}} \\ {= {{\sigma(x)}{\sigma^{2}(x)}{\sigma^{3}(x)}{\sigma^{4}(x)}{\sigma^{5}(x)}}} \\ {= {{\sigma(x)}{\sigma^{2}(x)}{\sigma^{3}(x)}{\sigma^{4}(x)}x}} \\ {= N} \end{matrix}$ Therefore N=x ₀ α+x ₁α² +x ₂α⁴ +x ₃α⁸ +x ₄α¹⁶ =x ₀ =x ₁ =x ₂ =x ₃ =x ₄, since α+α²+α⁴+α⁸+α¹⁶=1.

N may be computed:

$\begin{matrix} {N = {{\left( {{\sum\limits_{i = 0}^{4}x_{i}^{2}} + {\sum\limits_{i < j}{x_{i}x_{j}}}} \right)^{2}{\sum\limits_{i = 0}^{4}x_{i}}} + {\sum\limits_{i = 0}^{4}{x_{i}^{2}{x_{i \oplus 2}\left( {{x_{i \oplus 1}x_{i \oplus 4}} + x_{i \oplus 3}^{2}} \right)}}} +}} \\ {{\sum\limits_{i = 0}^{4}{x_{i}^{3}\left( {{\left( {x_{i} + x_{i \oplus 1}} \right)\left( {x_{i \oplus 2} + x_{i \oplus 3}} \right)} + x_{i \oplus 3}^{2} + X_{i \oplus 1}^{2} + {x_{i \oplus 4}x_{i \oplus 3}}} \right)}} +} \\ {{{\prod\limits_{i = 0}^{4}x_{i}} \in {{GF}(q)}},} \end{matrix}$ where ⊕ is addition modulo 5.

One may also note that σ(x)σ²(x)σ³(x)σ⁴(x)=X ₀ α+X ₁α² +X ₂α⁴ +X ₃α⁸ +X ₄α¹⁶ where all coordinates X_(i) shift if inputs shift.

In fact, σ(σ(x)σ²(x)σ³(x)σ⁴(x))=σ(Nx ⁻¹)=Nσ(x)⁻¹=σ(σ(x)σ²(σ(x))σ³(σ(x))σ⁴(σ(x)). Therefore for brevity one may compute only the first coordinate in this product

$\begin{matrix} {X_{0} = {{\left( {x_{2}^{2} + x_{4}^{2}} \right)\left( {x_{0}^{2} + x_{1}^{2} + x_{3}^{2} + x_{4}^{2}} \right)} + x_{0}^{4} + x_{1}^{4} + {x_{1}x_{2}x_{3}x_{4}} + {x_{4}^{3}\left( {x_{1} + x_{2}} \right)} +}} \\ {{x_{2}^{3}\left( {x_{1} + x_{3}} \right)} + {x_{4}\left( {x_{1}^{3} + x_{3}^{3}} \right)} + {x_{1}^{2}x_{2}x_{3}} + {x_{3}^{2}x_{2}x_{4}} + {x_{4}^{2}x_{1}x_{3}} +} \\ {x_{0}^{2}\left( {{x_{1}x_{2}} + {x_{3}x_{4}} + {x_{1}x_{3}}} \right)} \end{matrix}$

To estimate the complexity of inversion, one may assume for simplicity that in the field GF(2^(n)) a normal basis is chosen.

At first one may compute all cubes x_(i) ³ with the complexity of 5L(M(n)) and the depth of D(M(n)), then compute all products x_(i)x_(j) with the same depth and the complexity of 10L(M(n)), then compute all sums α_(i)+α_(j),α_(i) ⁴+α_(i⊕1) ⁴,α_(i) ²+α_(i⊕2) ², with the depth of 1 and the complexity of 20n, and all sums α_(i) ³+α_(i⊕2) ³ with the depth of 1+D(M(n)) and the complexity of 5n.

Then one may compute the formula

$\left( {{\sum\limits_{i = 0}^{4}x_{i}^{2}} + {\sum\limits_{i < j}{x_{i}x_{j}}}} \right)^{2}{\sum\limits_{i = 0}^{4}x_{i}}$ with the complexity of 4L(M(n))+6n and the depth of 3+2D(M(n)), using the equality

$\begin{matrix} {{{\sum\limits_{i = 0}^{4}x_{i}^{2}} + {\sum\limits_{i < j}{x_{i}x_{j}}}} = {\left( {x_{3}^{2} + x_{0}^{2} + {x_{0}x_{1}}} \right) + \left( {x_{1}^{2} + x_{4}^{2} + {x_{3}x_{4}}} \right) +}} \\ {\left( {x_{0} + x_{1} + x_{2}} \right)\left( {x_{2} + x_{3} + x_{4}} \right)} \end{matrix}$

Next one may compute the formula

$\sum\limits_{i = 0}^{4}{x_{i}^{3}\left( {{\left( {x_{i} + x_{i \oplus 1}} \right)\left( {x_{i \oplus 2} + x_{i \oplus 3}} \right)} + x_{i \oplus 3}^{2} + x_{i \oplus 1}^{2} + {x_{i \oplus 4}x_{i \oplus 3}}} \right)}$ with the complexity of 10L(M(n))+14n and the depth of 5+2D(M(n)), and the formula

$\sum\limits_{i = 0}^{4}{x_{i}^{2}{x_{i \oplus 2}\left( {{x_{i \oplus 1}x_{i \oplus 4}} + x_{i \oplus 3}^{2}} \right)}}$ with the complexity of 10L(M(n))+9n and the depth of 4+2D(M(n)).

Then one may compute the sum of the last formula with the complexity of 10L(M(n))+14n+10L(M(n))+9n and the depth of 6+2D(M(n)).

But the depth may be decreased on 1 without increasing the complexity if one represents this sum as the sum of 10 additive terms, from which only 5 terms have the depth of 2+2D(M(n)) and others have the depth of 1+2D(M(n)), and construct a binary tree from operations of addition so that 5 of its vertex have the depth of 3, and the other 5 vertex have the depth of 4.

Therefore the sum of the foregoing three given formulas has the complexity of 24L(M(n))+29n and the depth of 6+2D(M(n)). One may add a term

$\prod\limits_{i = 0}^{4}x_{i}$ with the complexity of 2L(M(n))+n and the depth of 2D(M(n))+1+max{D(M(n)),6}. Therefore the norm N computed may have the complexity of 41L(M(n))+57n and the depth of 2D(n))+1+max{D(M(n)),6}.

The formula (X_(i⊕2) ²+X_(i⊕4) ²)(X_(i) ²+X_(i⊕1) ²+X_(i⊕3) ²+X_(i⊕4) ²)+X_(i) ⁴+X_(i⊕1) ⁴ computed may have the complexity of 5L(M(n))+10n and the depth of 3+D(M(n)).

The formula

x_(i ⊕ 4)³(x_(i ⊕ 1) + x_(i ⊕ 2)) + x_(i ⊕ 2)³(x_(i ⊕ 1) + x_(i ⊕ 3)) + x_(i ⊕ 4)(x_(i ⊕ 1)³ + x_(i ⊕ 3)³) + x_(i ⊕ 1)²x_(i ⊕ 2)x_(i ⊕ 3) + x_(i ⊕ 1)x_(i ⊕ 2)x_(i ⊕ 3)x_(i ⊕ 4) + x_(i ⊕ 3)²x_(i ⊕ 2)x_(i ⊕ 4) + x_(i ⊕ 4)²x_(i ⊕ 1)x_(i ⊕ 3) + x_(i)²(x_(i ⊕ 1)x_(i ⊕ 2) + x_(i ⊕ 3)x_(i ⊕ 4) + x_(i ⊕ 1)x_(i ⊕ 3)) computed may have the complexity of 40L(M(n))+45n and the depth of 4+2D(M(n)).

Therefore the system X_(i), i=0, . . . , 4 may have the complexity 45L(M(n))+60n and the depth 5+2D(M(n)).

The complexity of operator N, X_(i) is equal to 45(L(M(n))+60n+41L(M(n))+57n=86L(M(n))+117n, and the depth is equal to 2D(M(n))+1+max {D(M(n)), 6}.

Final estimates for the complexity and depth of inversion are L(I(5n))≦L(I(n))+91L(M(n))+117n, D(I(5n))≦D(I(n))+3D(M(n))+1+max {D(M(n)),6}.

Inversion in Field GF(2⁵)

In a partial case x_(i) εGF(2), the equality x_(i) ²=x₁ is valid, and consequently the norm of a nonzero element is equal to 1.

As all coordinates of an element (x₀α+x₁α²+x₂α⁴+x₃α⁸+x₄α⁸)⁻¹ shift, if inputs shift, then it may be sufficient to compute only the first coordinate as follows:

$\begin{matrix} {X_{0} = {{\left( {x_{2}^{2} + x_{4}^{2}} \right)\left( {x_{0}^{2} + x_{1}^{2} + x_{3}^{2} + x_{4}^{2}} \right)} + x_{0}^{4} + x_{1}^{4} + {x_{1}x_{2}x_{3}x_{4}} +}} \\ {{x_{4}^{3}\left( {x_{1} + x_{2}} \right)} + {x_{2}^{3}\left( {x_{1} + x_{3}} \right)} + {x_{4}\left( {x_{1}^{3} + x_{3}^{3}} \right)} + {x_{1}^{2}x_{2}x_{3}} +} \\ {{x_{3}^{2}x_{2}x_{4}} + {x_{4}^{2}x_{1}x_{3}} + {x_{0}^{2}\left( {{x_{1}x_{2}} + {x_{3}x_{4}} + {x_{1}x_{3}}} \right)}} \\ {= {{x_{4}x_{1}} + x_{4} + x_{0} + x_{1} + {x_{1}x_{2}x_{3}x_{4}} + {x_{2}x_{0}} + {x_{4}x_{0}} +}} \\ {{x_{1}x_{2}x_{3}} + {x_{3}x_{2}x_{4}} + {x_{4}x_{1}x_{3}} + {x_{0}\left( {{x_{1}x_{2}} + {x_{3}x_{4}} + {x_{1}x_{3}}} \right)}} \\ {{= {{\overset{\_}{x_{2}x_{2}}\left( {x_{1} ⩔ x_{4}} \right)} + {x_{0}{x_{1}\left( {x_{2} + x_{3}} \right)}} + {x_{3}{x_{4}\left( {x_{0} + x_{1}} \right)}} + {x_{0}\overset{\_}{x_{2} + x_{4}}}}},} \end{matrix}$ where x is a brief notation for negation

x.

The depth of this formula is 4, and the complexity is 14. Final estimations for the complexity and depth of inversion are D(I(5))≦4, L(I(5))≦55.

Multiplication in 5th Degree Extension

Using brief notations, multiplications may be represented by the formula (a₀α+a₁α²+a₂α⁴+a₃α⁸+a₄α¹⁶)(b₀α+b₁α²+b₂α⁴+b₃α⁸+b₄α¹⁶)=(c₀α+c₁α²+c₂α⁴+c₃α⁸+c₄α¹⁶), c ₀=(0,1)+(1,3)+(2,3)+(2,4)+(4), c ₁=(1,2)+(2,4)+(3,4)+(3,0)+(0), c ₂=(2,3)+(3,0)+(4,0)+(4,1)+(1), c ₃=(3,4)+(4,1)+(0,1)+(0,2)+(2), c ₄=(4,0)+(0,2)+(1,2)+(1,3)+(3), where (i,j)=(x _(i) y _(j) +x _(j) y _(i)), (i)=x _(i) y _(j)

The complexity and the depth of multiplication (n does not divide by 5) may have upper bounds: L(M(5n))≦15L(M(n))+40n, D(M(5n))≦D(M(n))+4.

EXAMPLE Logical Circuits for Multiplicative Operations in the Field GF(2²⁰)

Using extension of 5th degree, one may construct a logic circuit for inversion with the complexity of L(I(20))≦L(I(4))+91L(M(4))+468=3100+468+24=3313 and the depth of D(I(20))≦D(I(4))+3D(M(4))+1+max{D(M(4)),6}=22 since L(M(4))=31,D(M(4))=4,L(I(4))=24,D(I(4))=3, as shown in the foregoing description.

Using biquadratic extension one may construct a logic circuit for inversion with the complexity of L(I(20))≦L(I(5))+30L(M(5))+170=1875 and the depth of D(I(20))≦D(I(5))+3D(M(5))+4=23.

Both logic circuits use different bases in the field GF(2²⁰), but these bases are equivalent: one is permutation of another, and some are a normal base in this field. For any from these bases, the complexity and the depth of multiplication may have upper bounds L(M(20))≦15L(M(4))+160=625, D(M(20))≦D(M(4))+4=8.

It is to be noted that the above described embodiments according to the present invention may be conveniently implemented using conventional general purpose digital computers programmed according to the teachings of the present specification, as will be apparent to those skilled in the computer art. Appropriate software coding may readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent to those skilled in the software art.

It is to be understood that the present invention may be conveniently implemented in forms of software package. Such a software package may be a computer program product which employs a storage medium including stored computer code which is used to program a computer to perform the disclosed function and process of the present invention. The storage medium may include, but is not limited to, any type of conventional floppy disks, optical disks, CD-ROMS, magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, or any other suitable media for storing electronic instructions.

It is also understood that the specific order or hierarchy of steps in the methods disclosed are examples of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the method can be rearranged while remaining within the scope of the present invention. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented.

It is believed that the present invention and many of its attendant advantages will be understood by the foregoing description. It is also believed that it will be apparent that various changes may be made in the form, construction and arrangement of the components thereof without departing from the scope and spirit of the invention or without sacrificing all of its material advantages. The form herein before described being merely an explanatory embodiment thereof, it is the intention of the following claims to encompass and include such changes. 

1. A device for calculating an inversion in finite field GF(2^(2n)), wherein n is a positive integer, comprising: (a) means for expressing an element eεGF(2^(2n)) as e=x ₀ α+x ₁α²(x ₀ ,x ₁ εGF(2^(n))) where α+α²=1 so that an inverse e⁻¹ of said element e in said finite field GF(2^(2n)) is expressed as a combination of arithmetic operations performed in subfield GF(2^(n)) given by e ⁻¹=(x ₁ /N)α+(x ₀ /N)α² where N=(x₀ ²+x₁ ²)+x₀x₁εGF(2^(n)) by using an optimal normal basis of order 2 {α, α²}; and (b) means for calculating said inverse e⁻¹ of said element e in said finite field GF(2^(2n)) by executing said combination of arithmetic operations in said subfield GF(2^(n)).
 2. A device for calculating an inversion in finite field GF(2^(3n)), wherein n is a positive integer, comprising: (a) means for expressing an element eεGF(2^(3n)) as e=x ₀ α+x ₁α² +x ₂α⁴(x ₀ ,x ₁ ,x ₂ εGF(2^(n))) where α²+α³=1 so that an inverse e⁻¹ of said element e in said finite field GF(2^(3n)) is expressed as a combination of arithmetic operations performed in subfield GF(2^(n)) given by e ⁻¹=[((x ₀ +x ₂)² +x ₁ x ₂)/N]α+[((x ₁ +x ₀)² +x ₀ x ₂)/N]α ²+[((x ₁ +x ₂)² +x ₁ x ₀)/N]α ⁴ where N=x₀x₁x₂+(x₁+x₂)³ +(x₀+x₂)²(x₀+x₁)εGF(2^(n)) by using an optimal normal basis of order 3 {α, α², α⁴}; and (b) means for calculating said inverse e⁻¹ of said element e in said finite field GF(2^(3n)) by executing said combination of arithmetic operations in said subfield GF(2^(n)).
 3. The device of claim 2, wherein said n=1.
 4. A device for calculating an inversion in finite field GF(2^(4n)), wherein n is a positive integer, comprising: (a) means for expressing an element eεGF(2^(4n)) as e=x ₀ α+x ₁α² +x ₂α⁴ +x ₃α⁸(x ₀ ,x ₁ ,x ₂ ,x ₃ εGF(2^(n))) where α+α²+α³α⁴=1 so that an inverse e⁻¹ of said element e in said finite field GF(2^(4n)) is expressed as a combination of arithmetic operations performed in subfield GF(2^(n)) given by e ⁻¹=(X ₀ /N)α+(X ₁ /N)α²+(X ₂ /N)α⁴+(X ₃ /N)α⁸ where $N = {{\sum\limits_{i = 0}^{3}{x_{i}^{3}{\sum\limits_{i = 0}^{3}x_{i}}}} + {\sum\limits_{i = 0}^{3}{x_{i}^{2}\mspace{11mu} x_{i \oplus 2}x_{i \oplus 3}}} + \left( {\sum\limits_{i \neq j}{x_{i}x_{j}}} \right)^{2} + {\prod\limits_{i = 0}^{3}{x_{i}{{GF}\left( 2^{n} \right)}}}}$ X ₀ =x ₂ ²(x ₀ +x ₂ +x ₁)+x ₁ ² x ₂+(x ₂ +x ₀ +x ₃)m(x ₀ ,x ₁ ,x ₃) X ₁ =x ₃ ²(x ₁ +x ₃ +x ₂)+x ₂ ² x ₃+(x ₃ +x ₁ +x ₀)m(x ₁ ,x ₂ ,x ₀) X ₂ =x ₀ ²(x ₂ +x ₀ +x ₃)+x ₃ ² x ₀+(x ₀ +x ₂ +x ₁)m(x ₂ ,x ₃ ,x ₁) X ₃ =x ₁ ²(x ₃ +x ₁ +x ₀)+x ₀ ² x ₁+(x ₁ +x ₃ +x ₂)m(x ₃ ,x ₀ ,x ₂) ⊕ is addition modulo 4, by using an optimal normal basis of order 4 {α, α², α⁴, α⁸}; and (b) means for calculating said inverse e⁻¹ of said element e in said finite field GF(2^(4n)) by executing said combination of arithmetic operations in said subfield GF(2^(n)).
 5. The device of claim 4, wherein said n=1.
 6. A device for calculating an inversion in finite field GF(2^(5n)), wherein n is a positive integer, comprising: (a) means for expressing an element eεGF(2^(5n)) as e=x ₀ α+x ₁α² +x ₂α⁴ +x ₃α⁸ +x ₄α¹⁶(x ₀ ,x ₁ ,x ₂ ,x ₃ ,x ₄ εGF(2^(n))) where α+α²+α⁴+α⁵=1 so that an inverse e⁻¹ of said element e in said finite field GF(2^(5n)) is expressed as a combination of arithmetic operations performed in subfield GF(2^(n)) given by e ⁻¹=[σ(x)σ²(x)σ³(x)σ⁴(x)]/N where α(x)=(x ₄ α+x ₀α² +x ₁α⁴ +x ₂α⁸ +x ₃α¹⁶) $\begin{matrix} {N = {{\left( {{\sum\limits_{i = 0}^{4}x_{i}^{2}} + {\sum\limits_{i < j}{x_{i}x_{j}}}} \right)^{2}{\sum\limits_{i = 0}^{4}x_{i}}} + {\sum\limits_{i = 0}^{4}{x_{i}^{2}{x_{i \oplus 2}\left( {{x_{i \oplus 1}x_{i \oplus 4}} + x_{i \oplus 3}^{2}} \right)}}} +}} \\ {{\sum\limits_{i = 0}^{4}{x_{i}^{3}\left( {{\left( {x_{i} + x_{i \oplus 1}} \right)\left( {x_{i \oplus 2} + x_{i \oplus 3}} \right)} + x_{i \oplus 3}^{2} + x_{i \oplus 1}^{2} + {x_{i \oplus 4}x_{i \oplus 3}}} \right)}} +} \\ {{\prod\limits_{i = 0}^{4}x_{i}} \in {{GF}\left( 2^{n} \right)}} \end{matrix}$ ⊕ is addition modulo 5, by using an optimal normal basis of order 5 {α, α², α⁴, α⁸, α¹⁶}; and (b) means for calculating said inverse e⁻¹ of said element e in said finite field GF(2^(5n)) by executing said combination of arithmetic operations in said subfield GF(2^(n)).
 7. The device of claim 6, wherein n=1. 